1) Random Firefox pop-ups: Firefox launches by itself and opens up 4 windows.
2) Cannot boot into safemode:
At the safemode option screen, regardless of which safemode boot option (with network, with command prompt, etc.) I choose, the PC reboots and returns me to the safemode option screen. I can only login in “normal mode.”
The random pop-ups and the inability to boot into safemode led me to suspect that my machine may have been infected with something that edited my registry, even though Norton AV v.11, Spybot, and Trend Micro Housecall detect nothing. I've also tried to use Windows Restore to return to a restore point a couple of days before I started experiencing these issues and that did not help.
Here is my DDS log:
DDS (Ver_09-06-26.01) - NTFSx86 Run by Window User at 23:16:37.53 on Sun 11/01/2009 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2459 [GMT -5:00] AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C} FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6} ============== Running Processes =============== C:\WINDOWS\system32\svchost -k DcomLaunch svchost.exe C:\WINDOWS\System32\svchost.exe -k netsvcs C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\WINDOWS\Explorer.EXE svchost.exe svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\WINDOWS\system32\spoolsv.exe svchost.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\CyberLink\Shared Files\RichVideo.exe C:\WINDOWS\System32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\RTHDCPL.EXE C:\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE C:\Program Files\Logitech\Gaming Software\LWEMon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Java\jre6\bin\jusched.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\wuauclt.exe C:\Download\drivers2\evgamobo\raid\XP 2K RAID floppy.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Download\fix\dds.scr ============== Pseudo HJT Report =============== uStart Page = about:blank BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear uRun: [AlcoholAutomount] "c:\alcohol soft\alcohol 120\axcmd.exe" /automount mRun: [WinampAgent] "c:\program files\winamp\winampa.exe" mRun: [RTHDCPL] RTHDCPL.EXE mRun: [RivaTunerStartupDaemon] "c:\rivatuner v2.22\RivaTuner.exe" /S mRun: [RemoteControl] c:\cyberlink\powerdvd\PDVDServ.exe mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe mRun: [Nero DriveSpeed] c:\progra~1\nero\nero7~1\neroto~1\DRIVES~1.EXE mRun: [Logitech Utility] Logi_MwX.Exe mRun: [LanguageShortcut] c:\cyberlink\powerdvd\language\Language.exe mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k mRun: [Alcmtr] ALCMTR.EXE mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime mRun: [EVGAPrecision] "c:\evga precision\EVGAPrecision.exe" /s mRun: [Start WingMan Profiler] c:\program files\logitech\gaming software\LWEMon.exe /noui mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe" mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup mRun: [nwiz] nwiz.exe /install mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe" mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe" mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe" mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe" dRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear StartupFolder: c:\docume~1\window~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000 IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1234439768546 DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_17-windows-i586.cab DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll ================= FIREFOX =================== FF - ProfilePath - c:\docume~1\window~1\applic~1\mozilla\firefox\profiles\115u7vry.default\ FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\ FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0015-0000-0017-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} ---- FIREFOX POLICIES ---- c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false); c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200); c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true); c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess"); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120); c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3); c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1); c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true); c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0); c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072); c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true); c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror"); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false); c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json"); ============= SERVICES / DRIVERS =============== R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};c:\cyberlink\powerdvd\000.fcl [2009-2-22 13560] R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-26 108392] R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-6-26 108392] R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-6-26 2440120] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-8-30 102448] R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20091101.022\NAVENG.SYS [2009-11-1 84912] R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20091101.022\NAVEX15.SYS [2009-11-1 1323568] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-2-12 1684736] S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-6-26 23888] S3 RMWPService;RMWPService;c:\reference manager 12\webpublisher\thirdparty\apache2\bin\RMWP_Apache_Admin.exe [2004-1-28 20537] S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?] =============== Created Last 30 ================ 2009-11-01 21:57 <DIR> --d----- C:\Trend Micro 2009-11-01 21:13 93,360 a------- c:\windows\system32\drivers\SBREDrv.sys 2009-11-01 20:44 <DIR> --d----- C:\Spybot - Search & Destroy 2009-11-01 20:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy 2009-11-01 18:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com 2009-11-01 18:54 <DIR> --d----- C:\SUPERAntiSpyware 2009-11-01 18:54 <DIR> --d----- c:\docume~1\window~1\applic~1\SUPERAntiSpyware.com 2009-11-01 18:41 <DIR> --d----- C:\RootkitNO 2009-11-01 17:19 2 a--shrot c:\windows\winstart.bat 2009-11-01 17:19 <DIR> --d----- C:\UnHackMe 2009-11-01 16:37 <DIR> --d----- c:\windows\system32\wbem\Repository 2009-11-01 16:37 <DIR> --d----- C:\DAEMON Tools Lite 2009-11-01 16:37 <DIR> --d----- C:\Any Video Converter Professional 2009-11-01 16:28 4,928 a------- c:\windows\system32\PerfStringBackup.TMP 2009-10-31 23:50 <DIR> --d----- c:\program files\WinDefender32 2009-10-31 23:50 24,791 a------- c:\docume~1\window~1\applic~1\addons.dat 2009-10-31 00:06 <DIR> --d----- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP 2009-10-31 00:06 <DIR> --d----- C:\Codemasters 2009-10-21 02:04 315,392 a------- c:\windows\system32\TubeFinder.exe 2009-10-21 02:04 364,544 a------- c:\windows\system32\PropertyGrid.ocx 2009-10-21 02:04 208,500 a------- c:\windows\system32\ReyXpBasics.tlb 2009-10-21 02:04 141,312 a------- c:\windows\system32\MSCMCFR.DLL 2009-10-21 02:04 119,568 a------- c:\windows\system32\VB6FR.DLL 2009-10-21 02:04 101,888 a------- c:\windows\system32\VB6STKIT.DLL 2009-10-21 02:04 84,512 a------- c:\windows\system32\PICCLP32.OCX 2009-10-21 02:04 32,768 a------- c:\windows\system32\CMDLGFR.DLL 2009-10-21 02:04 24,576 a------- c:\windows\system32\ControlSubX.ocx 2009-10-21 02:04 9,728 a------- c:\windows\system32\PCCLPFR.DLL 2009-10-21 02:04 <DIR> --d----- C:\Free FLV Converter 2009-10-21 02:04 <DIR> --d----- c:\docume~1\window~1\applic~1\FreeFLVConverter 2009-10-05 01:18 <DIR> --d----- c:\program files\common files\Macrovision Shared 2009-10-05 01:18 45,392 a----r-- c:\windows\system32\AdobePDF.dll 2009-10-05 01:18 22,872 a----r-- c:\windows\system32\AdobePDFUI.dll ==================== Find3M ==================== 2009-11-01 16:52 691,696 a------- c:\windows\system32\drivers\sptd.sys 2009-10-08 14:57 611,328 a------- c:\windows\system32\uiautomationcore.dll 2009-10-08 14:57 220,160 a------- c:\windows\system32\oleacc.dll 2009-10-08 14:56 20,480 a------- c:\windows\system32\oleaccrc.dll 2009-09-11 09:18 136,192 a------- c:\windows\system32\msv1_0.dll 2009-09-06 03:11 281,760 a------- c:\windows\system32\drivers\atksgt.sys 2009-09-06 03:11 25,888 a------- c:\windows\system32\drivers\lirsgt.sys 2009-09-04 16:03 58,880 a------- c:\windows\system32\msasn1.dll 2009-08-29 03:08 916,480 a------- c:\windows\system32\wininet.dll 2009-08-26 03:00 247,326 -------- c:\windows\system32\strmdll.dll 2009-08-05 04:01 204,800 -------- c:\windows\system32\mswebdvd.dll 2009-08-04 18:52 1,193,832 a------- c:\windows\system32\FM20.DLL 2009-08-04 10:13 2,145,280 -------- c:\windows\system32\ntoskrnl.exe 2009-08-04 09:20 2,023,936 -------- c:\windows\system32\ntkrnlpa.exe 2006-03-08 04:09 8,149 ----h--- c:\docume~1\window~1\applic~1\logs.dat ============= FINISH: 23:17:46.59 ===============
I am trying to generate a log from RootRepeal but it is taking several hours to scan that I am not sure if it is working or not. the program seems to take over all my system resource and there is not indication of any progress other than "scanning...", and sometimes it looks like the program might be hanging? Is this normal? I have no other programs running and even turned off my AV while it's scanning....
I just ran MBAM and it detected (and cleaned) 5 instances of the "bifrose" infection. I am still experiencing the issues I outlined in the beginning of the post, so the problem is still not fixed. Below is my MBAM log.
Malwarebytes' Anti-Malware 1.41
Database version: 3081
Windows 5.1.2600 Service Pack 3
11/2/2009 2:08:23 AM
mbam-log-2009-11-02 (02-08-23).txt
Scan type: Full Scan (C:\|)
Objects scanned: 318525
Time elapsed: 39 minute(s), 16 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{e86a2093-29b2-31bf-772e-6b13ec6986ba} (Backdoor.Bifrose) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SlysBitch (Bifrose.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinDefend32 (Bifrose.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Documents and Settings\Window User\Application Data\logs.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\Window User\Application Data\addons.dat (Bifrose.Trace) -> Quarantined and deleted successfully.
Ok, so it seems like maybe RootRepeal just takes a long time to scan. I am going to let it scan overnight and post the log once it's done. Please let me know if there is anything else I can include.
[edit]
Ok, I am experiencing a problem with RootRepeal. I can scan using any of the tabs and generate a report except for "hidden services" and "shadow SSDT." If I scan these tabs, RootRepeal hangs and my system slows to a crawl even after I close RootRepeal. I am not sure if that is related to the infection on my machine. At any rate, below are the RR logs I was able to generate using the tabs that didn't cause RR to hang.
RootRepeal drivers scan
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/11/02 07:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: 000.fcl Image Path: C:\CyberLink\PowerDVD\000.fcl Address: 0xBA64C000 Size: 6656 File Visible: - Signed: - Status: - Name: 1394BUS.SYS Image Path: C:\WINDOWS\System32\DRIVERS\1394BUS.SYS Address: 0xBA0B8000 Size: 57344 File Visible: - Signed: - Status: - Name: a38fasy1.SYS Image Path: C:\WINDOWS\System32\Drivers\a38fasy1.SYS Address: 0xB9489000 Size: 225280 File Visible: - Signed: - Status: - Name: ACPI.sys Image Path: ACPI.sys Address: 0xB9E6E000 Size: 187776 File Visible: - Signed: - Status: - Name: ACPI_HAL Image Path: \Driver\ACPI_HAL Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: ad4p5khu.SYS Image Path: C:\WINDOWS\System32\Drivers\ad4p5khu.SYS Address: 0xB9450000 Size: 233472 File Visible: - Signed: - Status: - Name: afd.sys Image Path: C:\WINDOWS\System32\drivers\afd.sys Address: 0xB685A000 Size: 138496 File Visible: - Signed: - Status: - Name: arp1394.sys Image Path: C:\WINDOWS\System32\DRIVERS\arp1394.sys Address: 0xBA268000 Size: 60800 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0xB9E26000 Size: 98304 File Visible: - Signed: - Status: - Name: atapi.sys Image Path: atapi.sys Address: 0x00000000 Size: 0 File Visible: - Signed: - Status: - Name: atksgt.sys Image Path: C:\WINDOWS\system32\DRIVERS\atksgt.sys Address: 0xB5B1E000 Size: 274432 File Visible: - Signed: - Status: - Name: ATMFD.DLL Image Path: C:\WINDOWS\System32\ATMFD.DLL Address: 0xBFFA0000 Size: 286720 File Visible: - Signed: - Status: - Name: audstub.sys Image Path: C:\WINDOWS\System32\DRIVERS\audstub.sys Address: 0xBA725000 Size: 3072 File Visible: - Signed: - Status: - Name: Beep.SYS Image Path: C:\WINDOWS\System32\Drivers\Beep.SYS Address: 0xBA646000 Size: 4224 File Visible: - Signed: - Status: - Name: BOOTVID.dll Image Path: C:\WINDOWS\system32\BOOTVID.dll Address: 0xBA4B8000 Size: 12288 File Visible: - Signed: - Status: - Name: Cdfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Cdfs.SYS Address: 0xB9419000 Size: 63744 File Visible: - Signed: - Status: - Name: cdrom.sys Image Path: C:\WINDOWS\System32\DRIVERS\cdrom.sys Address: 0xBA318000 Size: 62976 File Visible: - Signed: - Status: - Name: CLASSPNP.SYS Image Path: C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS Address: 0xBA108000 Size: 53248 File Visible: - Signed: - Status: - Name: disk.sys Image Path: disk.sys Address: 0xBA0F8000 Size: 36352 File Visible: - Signed: - Status: - Name: drmk.sys Image Path: C:\WINDOWS\system32\drivers\drmk.sys Address: 0xBA288000 Size: 61440 File Visible: - Signed: - Status: - Name: dump_diskdump.sys Image Path: C:\WINDOWS\System32\Drivers\dump_diskdump.sys Address: 0xBA578000 Size: 16384 File Visible: No Signed: - Status: - Name: dump_nvgts.sys Image Path: C:\WINDOWS\System32\Drivers\dump_nvgts.sys Address: 0xB65BF000 Size: 151552 File Visible: No Signed: - Status: - Name: Dxapi.sys Image Path: C:\WINDOWS\System32\drivers\Dxapi.sys Address: 0xB92CC000 Size: 12288 File Visible: - Signed: - Status: - Name: dxg.sys Image Path: C:\WINDOWS\System32\drivers\dxg.sys Address: 0xBF000000 Size: 73728 File Visible: - Signed: - Status: - Name: dxgthk.sys Image Path: C:\WINDOWS\System32\drivers\dxgthk.sys Address: 0xBA712000 Size: 4096 File Visible: - Signed: - Status: - Name: eeCtrl.sys Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys Address: 0xB66F7000 Size: 385024 File Visible: - Signed: - Status: - Name: EraserUtilRebootDrv.sys Image Path: C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys Address: 0xB66DA000 Size: 118784 File Visible: - Signed: - Status: - Name: fdc.sys Image Path: C:\WINDOWS\System32\DRIVERS\fdc.sys Address: 0xBA3D0000 Size: 27392 File Visible: - Signed: - Status: - Name: Fips.SYS Image Path: C:\WINDOWS\System32\Drivers\Fips.SYS Address: 0xB6BF9000 Size: 44544 File Visible: - Signed: - Status: - Name: fltmgr.sys Image Path: fltmgr.sys Address: 0xB9DC7000 Size: 129792 File Visible: - Signed: - Status: - Name: Fs_Rec.SYS Image Path: C:\WINDOWS\System32\Drivers\Fs_Rec.SYS Address: 0xBA618000 Size: 7936 File Visible: - Signed: - Status: - Name: ftdisk.sys Image Path: ftdisk.sys Address: 0xB9E3E000 Size: 125056 File Visible: - Signed: - Status: - Name: giveio.sys Image Path: giveio.sys Address: 0xBA671000 Size: 1664 File Visible: No Signed: - Status: - Name: hal.dll Image Path: C:\WINDOWS\system32\hal.dll Address: 0x806E4000 Size: 134400 File Visible: - Signed: - Status: - Name: HDAudBus.sys Image Path: C:\WINDOWS\System32\DRIVERS\HDAudBus.sys Address: 0xB95D2000 Size: 151552 File Visible: - Signed: - Status: - Name: HIDCLASS.SYS Image Path: C:\WINDOWS\System32\Drivers\HIDCLASS.SYS Address: 0xBA248000 Size: 36864 File Visible: - Signed: - Status: - Name: HIDPARSE.SYS Image Path: C:\WINDOWS\System32\Drivers\HIDPARSE.SYS Address: 0xBA430000 Size: 28672 File Visible: - Signed: - Status: - Name: hidusb.sys Image Path: C:\WINDOWS\System32\DRIVERS\hidusb.sys Address: 0xB95BE000 Size: 10368 File Visible: - Signed: - Status: - Name: HTTP.sys Image Path: C:\WINDOWS\System32\Drivers\HTTP.sys Address: 0xB55DB000 Size: 264832 File Visible: - Signed: - Status: - Name: i8042prt.sys Image Path: C:\WINDOWS\System32\DRIVERS\i8042prt.sys Address: 0xBA2F8000 Size: 52480 File Visible: - Signed: - Status: - Name: imapi.sys Image Path: C:\WINDOWS\System32\DRIVERS\imapi.sys Address: 0xBA308000 Size: 42112 File Visible: - Signed: - Status: - Name: intelppm.sys Image Path: C:\WINDOWS\System32\DRIVERS\intelppm.sys Address: 0xBA2D8000 Size: 36352 File Visible: - Signed: - Status: - Name: ipnat.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipnat.sys Address: 0xB68D2000 Size: 152832 File Visible: - Signed: - Status: - Name: ipsec.sys Image Path: C:\WINDOWS\System32\DRIVERS\ipsec.sys Address: 0xB6951000 Size: 75264 File Visible: - Signed: - Status: - Name: isapnp.sys Image Path: isapnp.sys Address: 0xBA0C8000 Size: 37248 File Visible: - Signed: - Status: - Name: kbdclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\kbdclass.sys Address: 0xBA400000 Size: 24576 File Visible: - Signed: - Status: - Name: kbdhid.sys Image Path: C:\WINDOWS\system32\DRIVERS\kbdhid.sys Address: 0xB53EF000 Size: 14592 File Visible: - Signed: - Status: - Name: KDCOM.DLL Image Path: C:\WINDOWS\system32\KDCOM.DLL Address: 0xBA5A8000 Size: 8192 File Visible: - Signed: - Status: - Name: kmixer.sys Image Path: C:\WINDOWS\system32\drivers\kmixer.sys Address: 0xB4CA1000 Size: 172416 File Visible: - Signed: - Status: - Name: ks.sys Image Path: C:\WINDOWS\System32\DRIVERS\ks.sys Address: 0xB95F7000 Size: 143360 File Visible: - Signed: - Status: - Name: KSecDD.sys Image Path: KSecDD.sys Address: 0xB9DB0000 Size: 92928 File Visible: - Signed: - Status: - Name: LHidFlt2.Sys Image Path: C:\WINDOWS\System32\DRIVERS\LHidFlt2.Sys Address: 0xBA450000 Size: 24448 File Visible: - Signed: - Status: - Name: LHidUsb.Sys Image Path: C:\WINDOWS\System32\Drivers\LHidUsb.Sys Address: 0xBA218000 Size: 33536 File Visible: - Signed: - Status: - Name: lirsgt.sys Image Path: C:\WINDOWS\system32\DRIVERS\lirsgt.sys Address: 0xBA3C0000 Size: 18560 File Visible: - Signed: - Status: - Name: LMouFlt2.Sys Image Path: C:\WINDOWS\System32\DRIVERS\LMouFlt2.Sys Address: 0xB6B99000 Size: 63424 File Visible: - Signed: - Status: - Name: mnmdd.SYS Image Path: C:\WINDOWS\System32\Drivers\mnmdd.SYS Address: 0xBA64A000 Size: 4224 File Visible: - Signed: - Status: - Name: mouclass.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouclass.sys Address: 0xBA3D8000 Size: 23040 File Visible: - Signed: - Status: - Name: mouhid.sys Image Path: C:\WINDOWS\System32\DRIVERS\mouhid.sys Address: 0xB95AA000 Size: 12160 File Visible: - Signed: - Status: - Name: MountMgr.sys Image Path: MountMgr.sys Address: 0xBA0D8000 Size: 42368 File Visible: - Signed: - Status: - Name: mrxdav.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxdav.sys Address: 0xB5B61000 Size: 180608 File Visible: - Signed: - Status: - Name: mrxsmb.sys Image Path: C:\WINDOWS\System32\DRIVERS\mrxsmb.sys Address: 0xB6755000 Size: 455296 File Visible: - Signed: - Status: - Name: Msfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Msfs.SYS Address: 0xBA3C8000 Size: 19072 File Visible: - Signed: - Status: - Name: msgpc.sys Image Path: C:\WINDOWS\System32\DRIVERS\msgpc.sys Address: 0xBA1A8000 Size: 35072 File Visible: - Signed: - Status: - Name: mssmbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\mssmbios.sys Address: 0xB9CA8000 Size: 15488 File Visible: - Signed: - Status: - Name: Mup.sys Image Path: Mup.sys Address: 0xB9CDC000 Size: 105344 File Visible: - Signed: - Status: - Name: NAVENG.SYS Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091101.022\NAVENG.SYS Address: 0xB69AC000 Size: 78208 File Visible: - Signed: - Status: - Name: NAVEX15.SYS Image Path: C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091101.022\NAVEX15.SYS Address: 0xB69E5000 Size: 1316864 File Visible: - Signed: - Status: - Name: NDIS.sys Image Path: NDIS.sys Address: 0xB9CF6000 Size: 182656 File Visible: - Signed: - Status: - Name: ndistapi.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndistapi.sys Address: 0xBA59C000 Size: 10112 File Visible: - Signed: - Status: - Name: ndisuio.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndisuio.sys Address: 0xBA558000 Size: 14592 File Visible: - Signed: - Status: - Name: ndiswan.sys Image Path: C:\WINDOWS\System32\DRIVERS\ndiswan.sys Address: 0xB9439000 Size: 91520 File Visible: - Signed: - Status: - Name: NDProxy.SYS Image Path: C:\WINDOWS\System32\Drivers\NDProxy.SYS Address: 0xBA1D8000 Size: 40576 File Visible: - Signed: - Status: - Name: netbios.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbios.sys Address: 0xB6C29000 Size: 34688 File Visible: - Signed: - Status: - Name: netbt.sys Image Path: C:\WINDOWS\System32\DRIVERS\netbt.sys Address: 0xB687C000 Size: 162816 File Visible: - Signed: - Status: - Name: nic1394.sys Image Path: C:\WINDOWS\System32\DRIVERS\nic1394.sys Address: 0xBA148000 Size: 61824 File Visible: - Signed: - Status: - Name: Npfs.SYS Image Path: C:\WINDOWS\System32\Drivers\Npfs.SYS Address: 0xBA3E8000 Size: 30848 File Visible: - Signed: - Status: - Name: Ntfs.sys Image Path: Ntfs.sys Address: 0xB9D23000 Size: 574976 File Visible: - Signed: - Status: - Name: ntkrnlpa.exe Image Path: C:\WINDOWS\system32\ntkrnlpa.exe Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: Null.SYS Image Path: C:\WINDOWS\System32\Drivers\Null.SYS Address: 0xBA7D1000 Size: 2944 File Visible: - Signed: - Status: - Name: nv4_disp.dll Image Path: C:\WINDOWS\System32\nv4_disp.dll Address: 0xBF012000 Size: 6189056 File Visible: - Signed: - Status: - Name: nv4_mini.sys Image Path: C:\WINDOWS\system32\DRIVERS\nv4_mini.sys Address: 0xB9652000 Size: 6280416 File Visible: - Signed: - Status: - Name: nvatabus.sys Image Path: nvatabus.sys Address: 0xB9DE7000 Size: 106496 File Visible: - Signed: - Status: - Name: nvatabus.sys Image Path: nvatabus.sys Address: 0x00000000 Size: 0 File Visible: - Signed: - Status: - Name: NVENETFD.sys Image Path: C:\WINDOWS\System32\DRIVERS\NVENETFD.sys Address: 0xBA278000 Size: 54784 File Visible: - Signed: - Status: - Name: nvgts.sys Image Path: nvgts.sys Address: 0xB9E01000 Size: 151552 File Visible: - Signed: - Status: - Name: nvnetbus.sys Image Path: C:\WINDOWS\System32\DRIVERS\nvnetbus.sys Address: 0xBA168000 Size: 40960 File Visible: - Signed: - Status: - Name: NVNRM.SYS Image Path: C:\WINDOWS\System32\DRIVERS\NVNRM.SYS Address: 0xB94C0000 Size: 958464 File Visible: - Signed: - Status: - Name: nvoclock.sys Image Path: C:\WINDOWS\nvoclock.sys Address: 0xBA3E0000 Size: 29696 File Visible: - Signed: - Status: - Name: ohci1394.sys Image Path: ohci1394.sys Address: 0xBA0A8000 Size: 61696 File Visible: - Signed: - Status: - Name: PartMgr.sys Image Path: PartMgr.sys Address: 0xBA330000 Size: 19712 File Visible: - Signed: - Status: - Name: pci.sys Image Path: pci.sys Address: 0xB9E5D000 Size: 68224 File Visible: - Signed: - Status: - Name: PCI_PNP2406 Image Path: \Driver\PCI_PNP2406 Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: pciide.sys Image Path: pciide.sys Address: 0xBA670000 Size: 3328 File Visible: - Signed: - Status: - Name: PCIIDEX.SYS Image Path: C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS Address: 0xBA328000 Size: 28672 File Visible: - Signed: - Status: - Name: PnpManager Image Path: \Driver\PnpManager Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: portcls.sys Image Path: C:\WINDOWS\system32\drivers\portcls.sys Address: 0xB6C6B000 Size: 147456 File Visible: - Signed: - Status: - Name: psched.sys Image Path: C:\WINDOWS\System32\DRIVERS\psched.sys Address: 0xB9388000 Size: 69120 File Visible: - Signed: - Status: - Name: ptilink.sys Image Path: C:\WINDOWS\System32\DRIVERS\ptilink.sys Address: 0xBA3A8000 Size: 17792 File Visible: - Signed: - Status: - Name: PxHelp20.sys Image Path: PxHelp20.sys Address: 0xBA118000 Size: 35712 File Visible: - Signed: - Status: - Name: rasacd.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasacd.sys Address: 0xBA584000 Size: 8832 File Visible: - Signed: - Status: - Name: rasl2tp.sys Image Path: C:\WINDOWS\System32\DRIVERS\rasl2tp.sys Address: 0xBA178000 Size: 51328 File Visible: - Signed: - Status: - Name: raspppoe.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspppoe.sys Address: 0xBA188000 Size: 41472 File Visible: - Signed: - Status: - Name: raspptp.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspptp.sys Address: 0xBA198000 Size: 48384 File Visible: - Signed: - Status: - Name: raspti.sys Image Path: C:\WINDOWS\System32\DRIVERS\raspti.sys Address: 0xBA3B8000 Size: 16512 File Visible: - Signed: - Status: - Name: RAW Image Path: \FileSystem\RAW Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: rdbss.sys Image Path: C:\WINDOWS\System32\DRIVERS\rdbss.sys Address: 0xB67C5000 Size: 175744 File Visible: - Signed: - Status: - Name: RDPCDD.sys Image Path: C:\WINDOWS\System32\DRIVERS\RDPCDD.sys Address: 0xBA64E000 Size: 4224 File Visible: - Signed: - Status: - Name: redbook.sys Image Path: C:\WINDOWS\System32\DRIVERS\redbook.sys Address: 0xBA158000 Size: 57600 File Visible: - Signed: - Status: - Name: RivaTuner32.sys Image Path: C:\RivaTuner v2.22\RivaTuner32.sys Address: 0xB5730000 Size: 9088 File Visible: - Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xB5A04000 Size: 49152 File Visible: No Signed: - Status: - Name: RtkHDAud.sys Image Path: C:\WINDOWS\system32\drivers\RtkHDAud.sys Address: 0xB6C8F000 Size: 5210112 File Visible: - Signed: - Status: - Name: SCSIPORT.SYS Image Path: C:\WINDOWS\System32\Drivers\SCSIPORT.SYS Address: 0xB9E9C000 Size: 98304 File Visible: - Signed: - Status: - Name: serenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\serenum.sys Address: 0xBA564000 Size: 15744 File Visible: - Signed: - Status: - Name: serial.sys Image Path: C:\WINDOWS\System32\DRIVERS\serial.sys Address: 0xBA2E8000 Size: 64512 File Visible: - Signed: - Status: - Name: SPBBCDrv.sys Image Path: C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys Address: 0xB67F0000 Size: 434176 File Visible: - Signed: - Status: - Name: spde.sys Image Path: spde.sys Address: 0xB9EB4000 Size: 995328 File Visible: No Signed: - Status: - Name: sptd Image Path: \Driver\sptd Address: 0x00000000 Size: 0 File Visible: No Signed: - Status: - Name: SRTSP.SYS Image Path: C:\WINDOWS\System32\Drivers\SRTSP.SYS Address: 0xB6B27000 Size: 303104 File Visible: - Signed: - Status: - Name: SRTSPX.SYS Image Path: C:\WINDOWS\System32\Drivers\SRTSPX.SYS Address: 0xB93E9000 Size: 37120 File Visible: - Signed: - Status: - Name: srv.sys Image Path: C:\WINDOWS\System32\DRIVERS\srv.sys Address: 0xB5AA4000 Size: 333952 File Visible: - Signed: - Status: - Name: swenum.sys Image Path: C:\WINDOWS\System32\DRIVERS\swenum.sys Address: 0xBA5D6000 Size: 4352 File Visible: - Signed: - Status: - Name: SYMEVENT.SYS Image Path: C:\WINDOWS\system32\Drivers\SYMEVENT.SYS Address: 0xB69C0000 Size: 151552 File Visible: - Signed: - Status: - Name: SYMREDRV.SYS Image Path: C:\WINDOWS\System32\Drivers\SYMREDRV.SYS Address: 0xBA378000 Size: 20992 File Visible: - Signed: - Status: - Name: SYMTDI.SYS Image Path: C:\WINDOWS\System32\Drivers\SYMTDI.SYS Address: 0xB68A4000 Size: 184832 File Visible: - Signed: - Status: - Name: sysaudio.sys Image Path: C:\WINDOWS\system32\drivers\sysaudio.sys Address: 0xB9399000 Size: 60800 File Visible: - Signed: - Status: - Name: tcpip.sys Image Path: C:\WINDOWS\System32\DRIVERS\tcpip.sys Address: 0xB68F8000 Size: 361600 File Visible: - Signed: - Status: - Name: TDI.SYS Image Path: C:\WINDOWS\System32\DRIVERS\TDI.SYS Address: 0xBA388000 Size: 20480 File Visible: - Signed: - Status: - Name: teefer2.sys Image Path: C:\WINDOWS\system32\DRIVERS\teefer2.sys Address: 0xB9352000 Size: 221184 File Visible: - Signed: - Status: - Name: termdd.sys Image Path: C:\WINDOWS\System32\DRIVERS\termdd.sys Address: 0xBA1B8000 Size: 40704 File Visible: - Signed: - Status: - Name: update.sys Image Path: C:\WINDOWS\System32\DRIVERS\update.sys Address: 0xB92F4000 Size: 384768 File Visible: - Signed: - Status: - Name: USBD.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBD.SYS Address: 0xBA5E0000 Size: 8192 File Visible: - Signed: - Status: - Name: usbehci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbehci.sys Address: 0xBA440000 Size: 30208 File Visible: - Signed: - Status: - Name: usbhub.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbhub.sys Address: 0xBA258000 Size: 59520 File Visible: - Signed: - Status: - Name: usbohci.sys Image Path: C:\WINDOWS\System32\DRIVERS\usbohci.sys Address: 0xBA410000 Size: 17152 File Visible: - Signed: - Status: - Name: USBPORT.SYS Image Path: C:\WINDOWS\System32\DRIVERS\USBPORT.SYS Address: 0xB961A000 Size: 147456 File Visible: - Signed: - Status: - Name: vga.sys Image Path: C:\WINDOWS\System32\drivers\vga.sys Address: 0xBA3B0000 Size: 20992 File Visible: - Signed: - Status: - Name: VIDEOPRT.SYS Image Path: C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS Address: 0xB963E000 Size: 81920 File Visible: - Signed: - Status: - Name: VolSnap.sys Image Path: VolSnap.sys Address: 0xBA0E8000 Size: 52352 File Visible: - Signed: - Status: - Name: wanarp.sys Image Path: C:\WINDOWS\System32\DRIVERS\wanarp.sys Address: 0xBA1F8000 Size: 34560 File Visible: - Signed: - Status: - Name: watchdog.sys Image Path: C:\WINDOWS\System32\watchdog.sys Address: 0xBA390000 Size: 20480 File Visible: - Signed: - Status: - Name: wdmaud.sys Image Path: C:\WINDOWS\system32\drivers\wdmaud.sys Address: 0xB5E0A000 Size: 83072 File Visible: - Signed: - Status: - Name: Win32k Image Path: \Driver\Win32k Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: win32k.sys Image Path: C:\WINDOWS\System32\win32k.sys Address: 0xBF800000 Size: 1847296 File Visible: - Signed: - Status: - Name: WmBEnum.sys Image Path: C:\WINDOWS\system32\drivers\WmBEnum.sys Address: 0xB9CA4000 Size: 12672 File Visible: - Signed: - Status: - Name: WmFilter.sys Image Path: C:\WINDOWS\system32\drivers\WmFilter.sys Address: 0xBA470000 Size: 22528 File Visible: - Signed: - Status: - Name: WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\WMILIB.SYS Address: 0xBA5AA000 Size: 8192 File Visible: - Signed: - Status: - Name: WMIxWDM Image Path: \Driver\WMIxWDM Address: 0x804D7000 Size: 2150400 File Visible: - Signed: - Status: - Name: WmVirHid.sys Image Path: C:\WINDOWS\system32\drivers\WmVirHid.sys Address: 0xBA65A000 Size: 8064 File Visible: - Signed: - Status: - Name: WmXlCore.sys Image Path: C:\WINDOWS\system32\drivers\WmXlCore.sys Address: 0xBA1C8000 Size: 42496 File Visible: - Signed: - Status: - Name: wpsdrvnt.sys Image Path: C:\WINDOWS\system32\drivers\wpsdrvnt.sys Address: 0xBA1E8000 Size: 57344 File Visible: - Signed: - Status: - Name: WpsHelper.sys Image Path: C:\WINDOWS\system32\drivers\WpsHelper.sys Address: 0xB5BB6000 Size: 144256 File Visible: - Signed: - Status: -
RootRepeal Processes scan
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/11/02 07:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== Processes ------------------- Path: System PID: 4 Status: - Path: C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe PID: 180 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 212 Status: - Path: C:\WINDOWS\system32\spoolsv.exe PID: 592 Status: - Path: C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe PID: 704 Status: - Path: C:\WINDOWS\system32\smss.exe PID: 872 Status: - Path: C:\WINDOWS\system32\csrss.exe PID: 932 Status: - Path: C:\WINDOWS\system32\winlogon.exe PID: 956 Status: - Path: C:\WINDOWS\system32\services.exe PID: 1008 Status: - Path: C:\WINDOWS\system32\lsass.exe PID: 1020 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1100 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1200 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1260 Status: - Path: C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe PID: 1276 Status: - Path: C:\Program Files\Java\jre6\bin\jqs.exe PID: 1388 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1412 Status: - Path: C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe PID: 1452 Status: - Path: C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe PID: 1544 Status: - Path: C:\WINDOWS\system32\alg.exe PID: 1648 Status: - Path: C:\WINDOWS\explorer.exe PID: 1748 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1844 Status: - Path: C:\WINDOWS\system32\svchost.exe PID: 1944 Status: - Path: C:\WINDOWS\system32\nvsvc32.exe PID: 1996 Status: - Path: C:\Program Files\CyberLink\Shared Files\RichVideo.exe PID: 2024 Status: - Path: C:\Program Files\Winamp\winampa.exe PID: 2392 Status: - Path: C:\WINDOWS\system32\wuauclt.exe PID: 2560 Status: - Path: C:\Download\fix\RootRepeal.exe PID: 2568 Status: - Path: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe PID: 2600 Status: - Path: C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe PID: 2632 Status: - Path: C:\WINDOWS\RTHDCPL.EXE PID: 2644 Status: - Path: C:\CyberLink\PowerDVD\PDVDServ.exe PID: 2668 Status: - Path: C:\PROGRA~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE PID: 2704 Status: - Path: C:\WINDOWS\system32\ctfmon.exe PID: 2820 Status: - Path: C:\WINDOWS\system32\wbem\wmiprvse.exe PID: 2864 Status: - Path: C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE PID: 3072 Status: - Path: C:\Program Files\Logitech\Gaming Software\LWEMon.exe PID: 3080 Status: - Path: C:\Program Files\Mozilla Firefox\firefox.exe PID: 3200 Status: - Path: C:\Program Files\Common Files\Symantec Shared\ccApp.exe PID: 3368 Status: - Path: C:\Program Files\Java\jre6\bin\jusched.exe PID: 3380 Status: - Path: C:\WINDOWS\system32\rundll32.exe PID: 3500 Status: - Path: C:\Program Files\Common Files\Real\Update_OB\realsched.exe PID: 3508 Status: - Path: C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe PID: 3848 Status: -
RootRepeal SSDT scan
ROOTREPEAL (c) AD, 2007-2009 ================================================== Scan Start Time: 2009/11/02 07:03 Program Version: Version 1.3.5.0 Windows Version: Windows XP SP3 ================================================== SSDT ------------------- #: 000 Function Name: NtAcceptConnectPort Status: Not hooked #: 001 Function Name: NtAccessCheck Status: Not hooked #: 002 Function Name: NtAccessCheckAndAuditAlarm Status: Not hooked #: 003 Function Name: NtAccessCheckByType Status: Not hooked #: 004 Function Name: NtAccessCheckByTypeAndAuditAlarm Status: Not hooked #: 005 Function Name: NtAccessCheckByTypeResultList Status: Not hooked #: 006 Function Name: NtAccessCheckByTypeResultListAndAuditAlarm Status: Not hooked #: 007 Function Name: NtAccessCheckByTypeResultListAndAuditAlarmByHandle Status: Not hooked #: 008 Function Name: NtAddAtom Status: Not hooked #: 009 Function Name: NtAddBootEntry Status: Not hooked #: 010 Function Name: NtAdjustGroupsToken Status: Not hooked #: 011 Function Name: NtAdjustPrivilegesToken Status: Not hooked #: 012 Function Name: NtAlertResumeThread Status: Hooked by "<unknown>" at address 0x88c9cab0 #: 013 Function Name: NtAlertThread Status: Hooked by "<unknown>" at address 0x8a2ffa70 #: 014 Function Name: NtAllocateLocallyUniqueId Status: Not hooked #: 015 Function Name: NtAllocateUserPhysicalPages Status: Not hooked #: 016 Function Name: NtAllocateUuids Status: Not hooked #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "<unknown>" at address 0x89508700 #: 018 Function Name: NtAreMappedFilesTheSame Status: Not hooked #: 019 Function Name: NtAssignProcessToJobObject Status: Not hooked #: 020 Function Name: NtCallbackReturn Status: Not hooked #: 021 Function Name: NtCancelDeviceWakeupRequest Status: Not hooked #: 022 Function Name: NtCancelIoFile Status: Not hooked #: 023 Function Name: NtCancelTimer Status: Not hooked #: 024 Function Name: NtClearEvent Status: Not hooked #: 025 Function Name: NtClose Status: Not hooked #: 026 Function Name: NtCloseObjectAuditAlarm Status: Not hooked #: 027 Function Name: NtCompactKeys Status: Not hooked #: 028 Function Name: NtCompareTokens Status: Not hooked #: 029 Function Name: NtCompleteConnectPort Status: Not hooked #: 030 Function Name: NtCompressKey Status: Not hooked #: 031 Function Name: NtConnectPort Status: Hooked by "<unknown>" at address 0x8959f6f0 #: 032 Function Name: NtContinue Status: Not hooked #: 033 Function Name: NtCreateDebugObject Status: Not hooked #: 034 Function Name: NtCreateDirectoryObject Status: Not hooked #: 035 Function Name: NtCreateEvent Status: Not hooked #: 036 Function Name: NtCreateEventPair Status: Not hooked #: 037 Function Name: NtCreateFile Status: Not hooked #: 038 Function Name: NtCreateIoCompletion Status: Not hooked #: 039 Function Name: NtCreateJobObject Status: Not hooked #: 040 Function Name: NtCreateJobSet Status: Not hooked #: 041 Function Name: NtCreateKey Status: Hooked by "spde.sys" at address 0xb9eb50e0 #: 042 Function Name: NtCreateMailslotFile Status: Not hooked #: 043 Function Name: NtCreateMutant Status: Hooked by "<unknown>" at address 0x894e2700 #: 044 Function Name: NtCreateNamedPipeFile Status: Not hooked #: 045 Function Name: NtCreatePagingFile Status: Not hooked #: 046 Function Name: NtCreatePort Status: Not hooked #: 047 Function Name: NtCreateProcess Status: Not hooked #: 048 Function Name: NtCreateProcessEx Status: Not hooked #: 049 Function Name: NtCreateProfile Status: Not hooked #: 050 Function Name: NtCreateSection Status: Not hooked #: 051 Function Name: NtCreateSemaphore Status: Not hooked #: 052 Function Name: NtCreateSymbolicLinkObject Status: Not hooked #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0x895846f0 #: 054 Function Name: NtCreateTimer Status: Not hooked #: 055 Function Name: NtCreateToken Status: Not hooked #: 056 Function Name: NtCreateWaitablePort Status: Not hooked #: 057 Function Name: NtDebugActiveProcess Status: Not hooked #: 058 Function Name: NtDebugContinue Status: Not hooked #: 059 Function Name: NtDelayExecution Status: Not hooked #: 060 Function Name: NtDeleteAtom Status: Not hooked #: 061 Function Name: NtDeleteBootEntry Status: Not hooked #: 062 Function Name: NtDeleteFile Status: Not hooked #: 063 Function Name: NtDeleteKey Status: Not hooked #: 064 Function Name: NtDeleteObjectAuditAlarm Status: Not hooked #: 065 Function Name: NtDeleteValueKey Status: Not hooked #: 066 Function Name: NtDeviceIoControlFile Status: Not hooked #: 067 Function Name: NtDisplayString Status: Not hooked #: 068 Function Name: NtDuplicateObject Status: Not hooked #: 069 Function Name: NtDuplicateToken Status: Not hooked #: 070 Function Name: NtEnumerateBootEntries Status: Not hooked #: 071 Function Name: NtEnumerateKey Status: Hooked by "spde.sys" at address 0xb9ecdda4 #: 072 Function Name: NtEnumerateSystemEnvironmentValuesEx Status: Not hooked #: 073 Function Name: NtEnumerateValueKey Status: Hooked by "spde.sys" at address 0xb9ece132 #: 074 Function Name: NtExtendSection Status: Not hooked #: 075 Function Name: NtFilterToken Status: Not hooked #: 076 Function Name: NtFindAtom Status: Not hooked #: 077 Function Name: NtFlushBuffersFile Status: Not hooked #: 078 Function Name: NtFlushInstructionCache Status: Not hooked #: 079 Function Name: NtFlushKey Status: Not hooked #: 080 Function Name: NtFlushVirtualMemory Status: Not hooked #: 081 Function Name: NtFlushWriteBuffer Status: Not hooked #: 082 Function Name: NtFreeUserPhysicalPages Status: Not hooked #: 083 Function Name: NtFreeVirtualMemory Status: Hooked by "<unknown>" at address 0x89502700 #: 084 Function Name: NtFsControlFile Status: Not hooked #: 085 Function Name: NtGetContextThread Status: Not hooked #: 086 Function Name: NtGetDevicePowerState Status: Not hooked #: 087 Function Name: NtGetPlugPlayEvent Status: Not hooked #: 088 Function Name: NtGetWriteWatch Status: Not hooked #: 089 Function Name: NtImpersonateAnonymousToken Status: Hooked by "<unknown>" at address 0x88bf12f0 #: 090 Function Name: NtImpersonateClientOfPort Status: Not hooked #: 091 Function Name: NtImpersonateThread Status: Hooked by "<unknown>" at address 0x88e9d6b8 #: 092 Function Name: NtInitializeRegistry Status: Not hooked #: 093 Function Name: NtInitiatePowerAction Status: Not hooked #: 094 Function Name: NtIsProcessInJob Status: Not hooked #: 095 Function Name: NtIsSystemResumeAutomatic Status: Not hooked #: 096 Function Name: NtListenPort Status: Not hooked #: 097 Function Name: NtLoadDriver Status: Not hooked #: 098 Function Name: NtLoadKey Status: Not hooked #: 099 Function Name: NtLoadKey2 Status: Not hooked #: 100 Function Name: NtLockFile Status: Not hooked #: 101 Function Name: NtLockProductActivationKeys Status: Not hooked #: 102 Function Name: NtLockRegistryKey Status: Not hooked #: 103 Function Name: NtLockVirtualMemory Status: Not hooked #: 104 Function Name: NtMakePermanentObject Status: Not hooked #: 105 Function Name: NtMakeTemporaryObject Status: Not hooked #: 106 Function Name: NtMapUserPhysicalPages Status: Not hooked #: 107 Function Name: NtMapUserPhysicalPagesScatter Status: Not hooked #: 108 Function Name: NtMapViewOfSection Status: Hooked by "<unknown>" at address 0x894ff6f0 #: 109 Function Name: NtModifyBootEntry Status: Not hooked #: 110 Function Name: NtNotifyChangeDirectoryFile Status: Not hooked #: 111 Function Name: NtNotifyChangeKey Status: Not hooked #: 112 Function Name: NtNotifyChangeMultipleKeys Status: Not hooked #: 113 Function Name: NtOpenDirectoryObject Status: Not hooked #: 114 Function Name: NtOpenEvent Status: Hooked by "<unknown>" at address 0x895a96d0 #: 115 Function Name: NtOpenEventPair Status: Not hooked #: 116 Function Name: NtOpenFile Status: Not hooked #: 117 Function Name: NtOpenIoCompletion Status: Not hooked #: 118 Function Name: NtOpenJobObject Status: Not hooked #: 119 Function Name: NtOpenKey Status: Hooked by "spde.sys" at address 0xb9eb50c0 #: 120 Function Name: NtOpenMutant Status: Not hooked #: 121 Function Name: NtOpenObjectAuditAlarm Status: Not hooked #: 122 Function Name: NtOpenProcess Status: Not hooked #: 123 Function Name: NtOpenProcessToken Status: Hooked by "<unknown>" at address 0x896266d0 #: 124 Function Name: NtOpenProcessTokenEx Status: Not hooked #: 125 Function Name: NtOpenSection Status: Not hooked #: 126 Function Name: NtOpenSemaphore Status: Not hooked #: 127 Function Name: NtOpenSymbolicLinkObject Status: Not hooked #: 128 Function Name: NtOpenThread Status: Not hooked #: 129 Function Name: NtOpenThreadToken Status: Hooked by "<unknown>" at address 0x894f7700 #: 130 Function Name: NtOpenThreadTokenEx Status: Not hooked #: 131 Function Name: NtOpenTimer Status: Not hooked #: 132 Function Name: NtPlugPlayControl Status: Not hooked #: 133 Function Name: NtPowerInformation Status: Not hooked #: 134 Function Name: NtPrivilegeCheck Status: Not hooked #: 135 Function Name: NtPrivilegeObjectAuditAlarm Status: Not hooked #: 136 Function Name: NtPrivilegedServiceAuditAlarm Status: Not hooked #: 137 Function Name: NtProtectVirtualMemory Status: Hooked by "C:\WINDOWS\system32\drivers\wpsdrvnt.sys" at address 0xba1ed840 #: 138 Function Name: NtPulseEvent Status: Not hooked #: 139 Function Name: NtQueryAttributesFile Status: Not hooked #: 140 Function Name: NtQueryBootEntryOrder Status: Not hooked #: 141 Function Name: NtQueryBootOptions Status: Not hooked #: 142 Function Name: NtQueryDebugFilterState Status: Not hooked #: 143 Function Name: NtQueryDefaultLocale Status: Not hooked #: 144 Function Name: NtQueryDefaultUILanguage Status: Not hooked #: 145 Function Name: NtQueryDirectoryFile Status: Not hooked #: 146 Function Name: NtQueryDirectoryObject Status: Not hooked #: 147 Function Name: NtQueryEaFile Status: Not hooked #: 148 Function Name: NtQueryEvent Status: Not hooked #: 149 Function Name: NtQueryFullAttributesFile Status: Not hooked #: 150 Function Name: NtQueryInformationAtom Status: Not hooked #: 151 Function Name: NtQueryInformationFile Status: Not hooked #: 152 Function Name: NtQueryInformationJobObject Status: Not hooked #: 153 Function Name: NtQueryInformationPort Status: Not hooked #: 154 Function Name: NtQueryInformationProcess Status: Not hooked #: 155 Function Name: NtQueryInformationThread Status: Not hooked #: 156 Function Name: NtQueryInformationToken Status: Not hooked #: 157 Function Name: NtQueryInstallUILanguage Status: Not hooked #: 158 Function Name: NtQueryIntervalProfile Status: Not hooked #: 159 Function Name: NtQueryIoCompletion Status: Not hooked #: 160 Function Name: NtQueryKey Status: Hooked by "spde.sys" at address 0xb9ece20a #: 161 Function Name: NtQueryMultipleValueKey Status: Not hooked #: 162 Function Name: NtQueryMutant Status: Not hooked #: 163 Function Name: NtQueryObject Status: Not hooked #: 164 Function Name: NtQueryOpenSubKeys Status: Not hooked #: 165 Function Name: NtQueryPerformanceCounter Status: Not hooked #: 166 Function Name: NtQueryQuotaInformationFile Status: Not hooked #: 167 Function Name: NtQuerySection Status: Not hooked #: 168 Function Name: NtQuerySecurityObject Status: Not hooked #: 169 Function Name: NtQuerySemaphore Status: Not hooked #: 170 Function Name: NtQuerySymbolicLinkObject Status: Not hooked #: 171 Function Name: NtQuerySystemEnvironmentValue Status: Not hooked #: 172 Function Name: NtQuerySystemEnvironmentValueEx Status: Not hooked #: 173 Function Name: NtQuerySystemInformation Status: Not hooked #: 174 Function Name: NtQuerySystemTime Status: Not hooked #: 175 Function Name: NtQueryTimer Status: Not hooked #: 176 Function Name: NtQueryTimerResolution Status: Not hooked #: 177 Function Name: NtQueryValueKey Status: Hooked by "spde.sys" at address 0xb9ece08a #: 178 Function Name: NtQueryVirtualMemory Status: Not hooked #: 179 Function Name: NtQueryVolumeInformationFile Status: Not hooked #: 180 Function Name: NtQueueApcThread Status: Not hooked #: 181 Function Name: NtRaiseException Status: Not hooked #: 182 Function Name: NtRaiseHardError Status: Not hooked #: 183 Function Name: NtReadFile Status: Not hooked #: 184 Function Name: NtReadFileScatter Status: Not hooked #: 185 Function Name: NtReadRequestData Status: Not hooked #: 186 Function Name: NtReadVirtualMemory Status: Not hooked #: 187 Function Name: NtRegisterThreadTerminatePort Status: Not hooked #: 188 Function Name: NtReleaseMutant Status: Not hooked #: 189 Function Name: NtReleaseSemaphore Status: Not hooked #: 190 Function Name: NtRemoveIoCompletion Status: Not hooked #: 191 Function Name: NtRemoveProcessDebug Status: Not hooked #: 192 Function Name: NtRenameKey Status: Not hooked #: 193 Function Name: NtReplaceKey Status: Not hooked #: 194 Function Name: NtReplyPort Status: Not hooked #: 195 Function Name: NtReplyWaitReceivePort Status: Not hooked #: 196 Function Name: NtReplyWaitReceivePortEx Status: Not hooked #: 197 Function Name: NtReplyWaitReplyPort Status: Not hooked #: 198 Function Name: NtRequestDeviceWakeup Status: Not hooked #: 199 Function Name: NtRequestPort Status: Not hooked #: 200 Function Name: NtRequestWaitReplyPort Status: Not hooked #: 201 Function Name: NtRequestWakeupLatency Status: Not hooked #: 202 Function Name: NtResetEvent Status: Not hooked #: 203 Function Name: NtResetWriteWatch Status: Not hooked #: 204 Function Name: NtRestoreKey Status: Not hooked #: 205 Function Name: NtResumeProcess Status: Not hooked #: 206 Function Name: NtResumeThread Status: Hooked by "<unknown>" at address 0x895f16d0 #: 207 Function Name: NtSaveKey Status: Not hooked #: 208 Function Name: NtSaveKeyEx Status: Not hooked #: 209 Function Name: NtSaveMergedKeys Status: Not hooked #: 210 Function Name: NtSecureConnectPort Status: Not hooked #: 211 Function Name: NtSetBootEntryOrder Status: Not hooked #: 212 Function Name: NtSetBootOptions Status: Not hooked #: 213 Function Name: NtSetContextThread Status: Hooked by "<unknown>" at address 0x89be1d10 #: 214 Function Name: NtSetDebugFilterState Status: Not hooked #: 215 Function Name: NtSetDefaultHardErrorPort Status: Not hooked #: 216 Function Name: NtSetDefaultLocale Status: Not hooked #: 217 Function Name: NtSetDefaultUILanguage Status: Not hooked #: 218 Function Name: NtSetEaFile Status: Not hooked #: 219 Function Name: NtSetEvent Status: Not hooked #: 220 Function Name: NtSetEventBoostPriority Status: Not hooked #: 221 Function Name: NtSetHighEventPair Status: Not hooked #: 222 Function Name: NtSetHighWaitLowEventPair Status: Not hooked #: 223 Function Name: NtSetInformationDebugObject Status: Not hooked #: 224 Function Name: NtSetInformationFile Status: Not hooked #: 225 Function Name: NtSetInformationJobObject Status: Not hooked #: 226 Function Name: NtSetInformationKey Status: Not hooked #: 227 Function Name: NtSetInformationObject Status: Not hooked #: 228 Function Name: NtSetInformationProcess Status: Hooked by "<unknown>" at address 0x894fa700 #: 229 Function Name: NtSetInformationThread Status: Hooked by "<unknown>" at address 0x894f2700 #: 230 Function Name: NtSetInformationToken Status: Not hooked #: 231 Function Name: NtSetIntervalProfile Status: Not hooked #: 232 Function Name: NtSetIoCompletion Status: Not hooked #: 233 Function Name: NtSetLdtEntries Status: Not hooked #: 234 Function Name: NtSetLowEventPair Status: Not hooked #: 235 Function Name: NtSetLowWaitHighEventPair Status: Not hooked #: 236 Function Name: NtSetQuotaInformationFile Status: Not hooked #: 237 Function Name: NtSetSecurityObject Status: Not hooked #: 238 Function Name: NtSetSystemEnvironmentValue Status: Not hooked #: 239 Function Name: NtSetSystemEnvironmentValueEx Status: Not hooked #: 240 Function Name: NtSetSystemInformation Status: Not hooked #: 241 Function Name: NtSetSystemPowerState Status: Not hooked #: 242 Function Name: NtSetSystemTime Status: Not hooked #: 243 Function Name: NtSetThreadExecutionState Status: Not hooked #: 244 Function Name: NtSetTimer Status: Not hooked #: 245 Function Name: NtSetTimerResolution Status: Not hooked #: 246 Function Name: NtSetUuidSeed Status: Not hooked #: 247 Function Name: NtSetValueKey Status: Hooked by "spde.sys" at address 0xb9ece29c #: 248 Function Name: NtSetVolumeInformationFile Status: Not hooked #: 249 Function Name: NtShutdownSystem Status: Not hooked #: 250 Function Name: NtSignalAndWaitForSingleObject Status: Not hooked #: 251 Function Name: NtStartProfile Status: Not hooked #: 252 Function Name: NtStopProfile Status: Not hooked #: 253 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x895a66d0 #: 254 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x8a2ea118 #: 255 Function Name: NtSystemDebugControl Status: Not hooked #: 256 Function Name: NtTerminateJobObject Status: Not hooked #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x895f36d0 #: 258 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x895e86d0 #: 259 Function Name: NtTestAlert Status: Not hooked #: 260 Function Name: NtTraceEvent Status: Not hooked #: 261 Function Name: NtTranslateFilePath Status: Not hooked #: 262 Function Name: NtUnloadDriver Status: Not hooked #: 263 Function Name: NtUnloadKey Status: Not hooked #: 264 Function Name: NtUnloadKeyEx Status: Not hooked #: 265 Function Name: NtUnlockFile Status: Not hooked #: 266 Function Name: NtUnlockVirtualMemory Status: Not hooked #: 267 Function Name: NtUnmapViewOfSection Status: Hooked by "<unknown>" at address 0x89bf9d10 #: 268 Function Name: NtVdmControl Status: Not hooked #: 269 Function Name: NtWaitForDebugEvent Status: Not hooked #: 270 Function Name: NtWaitForMultipleObjects Status: Not hooked #: 271 Function Name: NtWaitForSingleObject Status: Not hooked #: 272 Function Name: NtWaitHighEventPair Status: Not hooked #: 273 Function Name: NtWaitLowEventPair Status: Not hooked #: 274 Function Name: NtWriteFile Status: Not hooked #: 275 Function Name: NtWriteFileGather Status: Not hooked #: 276 Function Name: NtWriteRequestData Status: Not hooked #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0x89505700 #: 278 Function Name: NtYieldExecution Status: Not hooked #: 279 Function Name: NtCreateKeyedEvent Status: Not hooked #: 280 Function Name: NtOpenKeyedEvent Status: Not hooked #: 281 Function Name: NtReleaseKeyedEvent Status: Not hooked #: 282 Function Name: NtWaitForKeyedEvent Status: Not hooked #: 283 Function Name: NtQueryPortInformationProcess Status: Not hooked
No highlights from the stealth objects scan. Sorry for all these logs, I am fairly paranoid and desperate now, and I am ready to reformat the HD.
[edit 2.11.09]
I ran GMER. Below is the output log.
GMER 1.0.15.15163 - http://www.gmer.net Rootkit scan 2009-11-02 16:56:57 Windows 5.1.2600 Service Pack 3 Running: 2w38ztd8.exe; Driver: C:\DOCUME~1\WINDOW~1\LOCALS~1\Temp\uwrdauob.sys ---- System - GMER 1.0.15 ---- SSDT 894FE6D0 ZwAlertResumeThread SSDT 895016D0 ZwAlertThread SSDT 89509700 ZwAllocateVirtualMemory SSDT 895A76F0 ZwConnectPort SSDT sphu.sys ZwCreateKey [0xB9EB50E0] SSDT 894E3700 ZwCreateMutant SSDT 88A8A1F0 ZwCreateThread SSDT sphu.sys ZwEnumerateKey [0xB9ECDDA4] SSDT sphu.sys ZwEnumerateValueKey [0xB9ECE132] SSDT 89503700 ZwFreeVirtualMemory SSDT 894F96D0 ZwImpersonateAnonymousToken SSDT 894FC6D0 ZwImpersonateThread SSDT 895006F0 ZwMapViewOfSection SSDT 894F66D0 ZwOpenEvent SSDT sphu.sys ZwOpenKey [0xB9EB50C0] SSDT 88BC4E10 ZwOpenProcessToken SSDT 894F8700 ZwOpenThreadToken SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xBA1ED840] SSDT sphu.sys ZwQueryKey [0xB9ECE20A] SSDT sphu.sys ZwQueryValueKey [0xB9ECE08A] SSDT 89588710 ZwResumeThread SSDT 8950A6D0 ZwSetContextThread SSDT 894FB700 ZwSetInformationProcess SSDT 894F3700 ZwSetInformationThread SSDT sphu.sys ZwSetValueKey [0xB9ECE29C] SSDT 894F46D0 ZwSuspendProcess SSDT 895046D0 ZwSuspendThread SSDT 88EC97F8 ZwTerminateProcess SSDT 895076D0 ZwTerminateThread SSDT 8950C6D0 ZwUnmapViewOfSection SSDT 89506700 ZwWriteVirtualMemory INT 0x73 ? 8A4C7BF8 INT 0xA4 ? 8A40BBF8 INT 0xB1 ? 8A4C7BF8 INT 0xB1 ? 8A4C7BF8 INT 0xB4 ? 8A40BBF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C40 805044DC 2 Bytes [F0, 76] ? sphu.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload B96328AC 5 Bytes JMP 8A40B1D8 .text atox1crd.SYS B9489386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text atox1crd.SYS B94893AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text atox1crd.SYS B94893C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text atox1crd.SYS B94893C9 1 Byte [2E] .text atox1crd.SYS B94893C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...] .text ... .text ac4yv4ec.SYS B9450386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text ac4yv4ec.SYS B94503AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ac4yv4ec.SYS B94503C4 3 Bytes [00, 80, 02] .text ac4yv4ec.SYS B94503C9 1 Byte [30] .text ac4yv4ec.SYS B94503C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ? C:\WINDOWS\system32\Drivers\RKREVEAL150.SYS The system cannot find the file specified. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] sphu.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] sphu.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] sphu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] sphu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] sphu.sys IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] sphu.sys IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfAcquireSpinLock] CCCCCCC3 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!READ_PORT_UCHAR] CCCCCCCC IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KeGetCurrentIrql] CCCCCCCC IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfRaiseIrql] CCCCCCCC IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfLowerIrql] 8BEC8B55 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!HalGetInterruptVector] 00C73445 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!HalTranslateBusAddress] 00000000 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KeStallExecutionProcessor] 830C458B IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!KfReleaseSpinLock] C0840CEC IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 053C0D74 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!READ_PORT_USHORT] 57B80974 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8B000000 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[HAL.dll!WRITE_PORT_UCHAR] 56C35DE5 IAT \SystemRoot\System32\Drivers\atox1crd.SYS[WMILIB.SYS!WmiSystemControl] 8D51FC4D IAT \SystemRoot\System32\Drivers\atox1crd.SYS[WMILIB.SYS!WmiCompleteRequest] 8D52FD55 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\ac4yv4ec.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- Devices - GMER 1.0.15 ---- Device 8A4521F8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\sptd \Device\3247559906 sphu.sys Device \Driver\usbohci \Device\USBPDO-0 8A2EA500 Device \Driver\usbehci \Device\USBPDO-1 8A4091F8 Device \Driver\sptd \Device\3247716156 sphu.sys Device \Driver\PCI_PNP8656 \Device\00000054 sphu.sys Device \Driver\PCI_PNP8656 \Device\00000055 sphu.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{0966F872-6675-4638-ABE3-618858EBB6B0} 88BF2500 Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A4C51F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A4C51F8 Device \Driver\Cdrom \Device\CdRom0 8A2961F8 Device \Driver\Cdrom \Device\CdRom1 8A2961F8 Device \Driver\atapi \Device\Ide\IdePort0 [B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E2FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom2 8A2961F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 88BF2500 Device \Driver\NetBT \Device\NetbiosSmb 88BF2500 Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbohci \Device\USBFDO-0 8A2EA500 Device \Driver\usbehci \Device\USBFDO-1 8A4091F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88E9A500 Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) Device 88E9A500 Device \Driver\Ftdisk \Device\FtControl 8A4C51F8 Device \Driver\ac4yv4ec \Device\Scsi\ac4yv4ec1Port4Path0Target0Lun0 8A288500 Device \Driver\nvgts \Device\Scsi\nvgts2Port3Path1Target1Lun0 8A4C41F8 Device \Driver\nvgts \Device\Scsi\nvgts1Port2Path0Target0Lun0 8A4C41F8 Device \Driver\atox1crd \Device\Scsi\atox1crd1 8A28D500 Device \Driver\atox1crd \Device\Scsi\atox1crd1Port5Path0Target0Lun0 8A28D500 Device \Driver\nvgts \Device\Scsi\nvgts1 8A4C41F8 Device \Driver\nvgts \Device\Scsi\nvgts2 8A4C41F8 Device \Driver\ac4yv4ec \Device\Scsi\ac4yv4ec1 8A288500 Device 88A6F500 Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x53 0xD6 0x22 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7E 0x66 0x73 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xAA 0x91 0x5D 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0x3D 0x12 0x6E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCC 0x3C 0x8A 0xE5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBB 0xF9 0xB1 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0x17 0x3A 0x8C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x53 0xD6 0x22 0x5B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x7E 0x66 0x73 0x82 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6F 0xCF 0x15 0x03 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x20 0x3D 0x12 0x6E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xCC 0x3C 0x8A 0xE5 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xBB 0xF9 0xB1 0x48 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0x17 0x3A 0x8C ... ---- EOF - GMER 1.0.15 ----
Then I ran ComboFix....
ComboFix 09-11-01.04 - Window User 11/02/2009 17:06.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2603 [GMT -5:00]
Running from: c:\download\fix\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\sdra64.exe
Infected copy of c:\windows\System32\DRIVERS\nvgts.sys was found and disinfected
Restored copy from - Kitty ate it
.
((((((((((((((((((((((((( Files Created from 2009-10-02 to 2009-11-02 )))))))))))))))))))))))))))))))
.
2009-11-02 22:04 . 2008-04-13 18:40 96512 -c--a-w- c:\windows\system32\dllcache\atapi.sys
2009-11-02 22:04 . 2008-04-13 18:40 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-11-02 22:04 . 2006-08-21 18:24 105344 ----a-w- c:\windows\system32\drivers\nvatabus.sys
2009-11-02 06:27 . 2009-11-02 06:27 -------- d-----w- c:\documents and settings\Window User\Application Data\Malwarebytes
2009-11-02 06:27 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-02 06:27 . 2009-11-02 06:27 -------- d-----w- C:\Malwarebytes' Anti-Malware
2009-11-02 06:27 . 2009-11-02 06:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-11-02 06:27 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-02 02:57 . 2009-11-02 02:57 -------- d-----w- C:\Trend Micro
2009-11-02 02:13 . 2009-11-02 02:13 93360 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2009-11-02 02:03 . 2009-11-02 03:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-11-02 01:44 . 2009-11-02 03:12 -------- d-----w- C:\Spybot - Search & Destroy
2009-11-02 01:44 . 2009-11-02 03:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-11-01 23:54 . 2009-11-01 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-01 23:54 . 2009-11-02 01:12 -------- d-----w- c:\documents and settings\Window User\Application Data\SUPERAntiSpyware.com
2009-11-01 23:54 . 2009-11-02 01:12 -------- d-----w- C:\SUPERAntiSpyware
2009-11-01 23:41 . 2009-11-01 23:41 -------- d-----w- C:\RootkitNO
2009-11-01 22:19 . 2009-11-01 22:19 2 --shatr- c:\windows\winstart.bat
2009-11-01 22:19 . 2009-11-02 00:34 -------- d-----w- C:\UnHackMe
2009-11-01 21:37 . 2009-11-01 21:37 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-01 21:37 . 2009-11-01 21:54 -------- d-----w- C:\DAEMON Tools Lite
2009-11-01 21:37 . 2009-11-01 21:37 -------- d-----w- C:\Any Video Converter Professional
2009-11-01 05:35 . 2009-11-01 05:35 -------- d-----w- c:\documents and settings\Window User\Local Settings\Application Data\Aspyr
2009-11-01 05:02 . 2009-11-01 05:02 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-01 04:50 . 2009-11-02 00:30 -------- d-----w- c:\program files\WinDefender32
2009-10-31 05:06 . 2009-10-31 05:06 -------- d-----w- c:\windows\45235788142C44BE8A4DDDE9A84492E5.TMP
2009-10-31 05:06 . 2009-11-02 00:55 -------- d-----w- C:\Codemasters
2009-10-21 07:04 . 2009-10-14 05:37 315392 ----a-w- c:\windows\system32\TubeFinder.exe
2009-10-21 07:04 . 2009-10-21 07:14 -------- d-----w- c:\documents and settings\Window User\Application Data\FreeFLVConverter
2009-10-21 07:04 . 2009-10-21 07:04 -------- d-----w- C:\Free FLV Converter
2009-10-21 07:04 . 2009-06-19 23:51 9728 ----a-w- c:\windows\system32\PCCLPFR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-10-21 07:04 . 2009-06-19 23:51 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-10-19 09:19 . 2009-10-19 09:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-10-05 06:19 . 2009-10-05 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
2009-10-05 06:18 . 2009-10-05 06:18 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-10-05 06:18 . 2008-04-07 09:38 22872 ----a-r- c:\windows\system32\AdobePDFUI.dll
2009-10-05 06:18 . 2008-04-07 09:38 45392 ----a-r- c:\windows\system32\AdobePDF.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-02 06:26 . 2009-02-12 11:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-02 06:26 . 2009-06-28 17:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Thomson.ResearchSoft.Installers
2009-11-01 22:20 . 2009-03-24 18:37 -------- d-----w- c:\documents and settings\Window User\Application Data\DAEMON Tools Lite
2009-11-01 21:52 . 2009-02-12 15:05 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-11-01 21:52 . 2009-03-24 18:37 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-11-01 21:34 . 2009-11-01 21:28 4928 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-11-01 11:18 . 2009-07-04 11:24 1103040 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-31 05:33 . 2009-02-13 22:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-10-28 17:13 . 2009-06-28 17:44 -------- d-----w- c:\documents and settings\Window User\Application Data\EndNote
2009-10-08 19:57 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2009-10-08 19:57 . 2003-03-31 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 19:56 . 2003-03-31 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2009-10-07 09:29 . 2009-02-12 12:20 31312 ----a-w- c:\documents and settings\Window User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-06 06:35 . 2009-09-10 05:11 -------- d-----w- c:\program files\Nitro PDF
2009-10-05 06:18 . 2009-02-12 19:35 -------- d-----w- c:\program files\Common Files\Adobe
2009-10-02 06:54 . 2009-10-02 06:54 -------- d-----w- c:\program files\ieSpell
2009-10-01 17:10 . 2009-09-10 05:12 -------- d-----w- c:\documents and settings\Window User\Application Data\PrimoPDF
2009-09-29 10:18 . 2009-09-29 10:13 -------- d-----w- c:\documents and settings\Window User\Application Data\Any Video Converter Professional
2009-09-22 11:09 . 2009-03-08 05:01 -------- d-----w- c:\program files\Brother
2009-09-20 08:22 . 2009-02-12 11:52 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-19 05:44 . 2009-09-19 05:44 -------- d-----w- c:\documents and settings\Window User\Application Data\Eltima Software
2009-09-18 04:22 . 2009-09-18 04:22 -------- d-----w- c:\documents and settings\Window User\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-09-18 03:41 . 2009-09-18 03:41 -------- d-----w- c:\documents and settings\Window User\Application Data\Reallusion
2009-09-18 03:35 . 2009-03-08 05:03 34 ----a-w- c:\windows\system32\BD2040.DAT
2009-09-18 03:29 . 2009-09-18 03:29 50 ----a-w- c:\windows\system32\bridf07a.dat
2009-09-18 03:27 . 2009-09-18 03:27 -------- d-----w- c:\program files\Nuance
2009-09-18 03:27 . 2009-09-18 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-09-18 03:27 . 2009-09-18 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallShield
2009-09-18 03:26 . 2009-09-18 03:26 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-09-18 03:26 . 2009-02-12 11:52 -------- d-----w- c:\program files\Common Files\InstallShield
2009-09-18 03:26 . 2009-09-18 03:26 -------- d-----w- c:\program files\ScanSoft
2009-09-18 03:26 . 2009-09-18 03:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Brother
2009-09-17 02:40 . 2009-09-17 02:40 -------- d-----w- c:\documents and settings\Window User\Application Data\adma
2009-09-16 07:12 . 2009-05-04 12:05 -------- d-----w- c:\documents and settings\Window User\Application Data\mIRC
2009-09-12 10:01 . 2009-03-24 16:56 -------- d-----w- c:\documents and settings\Window User\Application Data\NewsLeecher
2009-09-11 14:18 . 2003-03-31 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-09 03:15 . 2009-09-09 03:15 -------- d-----w- c:\program files\AviSynth 2.5
2009-09-06 08:11 . 2009-09-06 07:36 281760 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-09-06 08:11 . 2009-09-06 07:36 25888 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-09-04 21:03 . 2003-03-31 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll
2009-09-04 20:12 . 2009-09-04 20:12 -------- d-----w- c:\program files\Atari
2009-08-29 08:08 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-26 08:00 . 2003-03-31 12:00 247326 ------w- c:\windows\system32\strmdll.dll
2009-08-05 09:01 . 2003-03-31 12:00 204800 ------w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:52 . 2009-08-04 23:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
.
------- Sigcheck -------
[-] 2009-02-15 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-02-15 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\TCPIP.SYS
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2006-04-20 . B2220C618B42A2212A59D91EBD6FC4B4 . 360576 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2qfe\tcpip.sys
[-] 2006-04-20 . 1DBF125862891817F374F407626967F4 . 359808 . . [5.1.2600.2892] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp2gdr\tcpip.sys
[-] 2006-04-20 . B8158E2A6112C0A5CA67BC158FC70218 . 340480 . . [5.1.2600.1831] . . c:\windows\SoftwareDistribution\Download\556eb98436b65a8c1ffae674c83d197f\sp1qfe\tcpip.sys
[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
"AlcoholAutomount"="c:\alcohol soft\Alcohol 120\axcmd.exe" [2009-04-24 203928]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-08-03 36352]
"RivaTunerStartupDaemon"="c:\rivatuner v2.22\RivaTuner.exe" [2008-12-29 2732032]
"RemoteControl"="c:\cyberlink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"LanguageShortcut"="c:\cyberlink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"EVGAPrecision"="c:\evga precision\EVGAPrecision.exe" [2008-12-22 240656]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2009-01-21 92168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-06-26 115560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-27 13684736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-27 86016]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-08-23 198160]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 210472]
"PaperPort PTD"="c:\program files\ScanSoft\PaperPort\pptd40nt.exe" [2007-01-30 30248]
"IndexSearch"="c:\program files\ScanSoft\PaperPort\IndexSearch.exe" [2007-01-30 46632]
"PPort11reminder"="c:\program files\ScanSoft\PaperPort\Ereg\Ereg.exe" [2007-02-01 255528]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"Malwarebytes Anti-Malware (reboot)"="c:\malwarebytes' anti-malware\mbam.exe" [2009-09-10 1312080]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2009-02-17 17508864]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-11 20992]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-03-27 1657376]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]
c:\documents and settings\Window User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\mIRC\\mirc.exe"=
"c:\\Rockstar Games\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"c:\\Rockstar Games\\Grand Theft Auto IV\\GTAIV.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Codemasters\\Rise of the Argonauts\\Binaries\\RiseOfTheArgonauts.exe"=
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 9:29 PM 102448]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2/12/2009 7:06 AM 1684736]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [6/26/2009 11:22 AM 23888]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*Deregistered* - mbr
*Deregistered* - PROCEXP113
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
FF - ProfilePath - c:\documents and settings\Window User\Application Data\Mozilla\Firefox\Profiles\115u7vry.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/advanced_search?hl=en
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -
SafeBoot-Symantec Antvirus
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 17:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A4C31F8]<<
kernel: MBR read successfully
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\cyberlink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1343024091-562591055-725345543-1004\Software\SecuROM\License information*]
"datasecu"=hex:1c,b5,1f,2a,35,c7,dd,bc,60,99,29,30,10,52,c6,33,80,a3,63,ab,59,
83,01,34,99,9f,a2,de,9c,75,c9,4e,35,87,76,2d,09,ba,12,14,a9,88,f7,c2,50,96,\
"rkeysecu"=hex:5e,06,95,84,54,bc,ea,5e,7b,64,dd,0b,25,98,e8,2b
.
Completion time: 2009-11-02 17:11
ComboFix-quarantined-files.txt 2009-11-02 22:11
Pre-Run: 332,230,701,056 bytes free
Post-Run: 332,812,492,800 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
- - End Of File - - F2355E43F9553E1E2BA9D4F7C71F7674
Edited by LDTate, 05 November 2009 - 04:17 PM.